diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-07-26 14:11:56 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-08-03 18:48:04 +1000 |
commit | 36112a442fd851d79fef847bf75d570454116df8 (patch) | |
tree | db47b7421c53c624f1b7b5a3b0893ca0a3e39900 /source3 | |
parent | ef69e140d817688c6bba1b40713001f316421754 (diff) | |
download | samba-36112a442fd851d79fef847bf75d570454116df8.tar.gz samba-36112a442fd851d79fef847bf75d570454116df8.tar.bz2 samba-36112a442fd851d79fef847bf75d570454116df8.zip |
s3-smbd Ensure we do not read past the end of a possible NTLMSSP blob
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source3')
-rw-r--r-- | source3/smbd/sesssetup.c | 2 | ||||
-rw-r--r-- | source3/smbd/smb2_sesssetup.c | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 683f6b2c15..54c469c25a 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -1154,7 +1154,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) return; } - if (strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0) { + if (blob1.length > 7 && strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0) { DATA_BLOB chal; if (!vuser->auth_ntlmssp_state) { diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 45acff2778..a3283117b4 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -758,7 +758,7 @@ static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req, out_session_flags, out_security_buffer, out_session_id); - } else if (strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0) { + } else if (in_security_buffer.length > 7 && strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0) { return smbd_smb2_raw_ntlmssp_auth(session, smb2req, in_security_mode, |